Terraform: Make `aws_iam_access_key` verify existence only

Created on 9 Nov 2016  ·  6Comments  ·  Source: hashicorp/terraform

The aws_iam_access_key resource is used to generate an IAM access key for a given user, which I suppose makes some sense given it allows for the creation of keys in AWS in the same way as any other resource.

When a terraform apply is run, the generated IAM access key and secret key are written to the Terraform state file, which - if you don't read the small warning in the documentation properly - might come as a surprise.

AWS only let you view the IAM secret key once - when you first create the access and secret key pair. But by inserting it in to the state file, it's then visible multiple times and can be checked in to Git (this problem also occurs for secrets kept for other resources, such as RDS instances).

I wonder whether or not the aws_iam_access_key resource should be re-purposed to simply check for the existence of an access/secret key pair, rather than try to track the state of the pair and therefore its values?

Thoughts welcome, since this goes a little against the grain of AWS only giving us secret keys once and does have the possibility of some fairly serious security implications in certain scenarios.

enhancement provideaws
Source
picture ajlanghorn

Most helpful comment

Agreed - let's follow the PGP/keybase pattern and queue this up for 0.8

picture phinze on 10 Nov 2016
🎉2

All 6 comments

My opinion here is that we should follow the model of aws_iam_user_login_profile, and allow specification of a PGP key or key base login with which to encrypt the access keys, so they may be securely communicated without being exposed to the operator. This would be a breaking change, but we could consider it for Terraform 0.8.

Any thoughts @phinze, @mitchellh?

jen20 picture jen20 on 9 Nov 2016

@jen20 I think that makes sense; if there's a standard to be followed from another resource, I'd support its use. That also keeps similar functionality as at the moment, too. Nice idea! 👍

ajlanghorn picture ajlanghorn on 10 Nov 2016

Agreed - let's follow the PGP/keybase pattern and queue this up for 0.8

phinze picture phinze on 10 Nov 2016
🎉2

Hey there – we implemented optional encrypting of the secret in https://github.com/hashicorp/terraform/pull/10615 . Thanks!

catsby picture catsby on 8 Dec 2016
1

@catsby <3

ajlanghorn picture ajlanghorn on 9 Dec 2016

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 19 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ronnix picture ronnix  ·  3Comments
zeninfinity picture zeninfinity  ·  3Comments
Seraf picture Seraf  ·  3Comments
shanmugakarna picture shanmugakarna  ·  3Comments
darron picture darron  ·  3Comments